Migrating OTP to Physical Security Key for Enhanced Security

Situation

Current OTP provider, connected with the password manager, is now due to renew, which has prompted a review of authentication infrastructure.

Background

Hardware security keys were already available, but not consistently integrated into legacy authentication workflows. This created an opportunity to make better use of existing security hardware rather than continuing to rely on software-only or vault-coupled OTP storage.

Assessment

Storing passwords and TOTP seeds in the same vault is convenient, but it increases blast radius if the vault is compromised. Separating TOTP generation from password storage reduces coupling between factors and lowers reliance on a single provider or application.

Recommendation / What we have done

Migrate legacy TOTP entries from software/vault-based authenticators to Yubico Authenticator as part of a periodic security hardening cycle. Prioritize high-impact accounts, verify recovery paths before migration, test login after each change, and remove old OTP entries only after successful verification.

Lesson

This process, after completion, turns out to be a consolidation of the scattered credential, paving the way for the more secure authentication process, and recovery of condition where TOTP served as true secondary factor authentication, by decoupling from the password management.